#VU54520 Input validation error in PyYAML


Published: 2021-07-10

Vulnerability identifier: #VU54520

Vulnerability risk: High

CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-14343

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
PyYAML
Web applications / Modules and components for CMS

Vendor: The YAML Project

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input when processing untrusted YAML files through the full_load method or with the FullLoader loader. A remote attacker can pass specially crafted input to the application and execute arbitrary code on the system by abusing the python/object/new constructor.

Note, the vulnerability exists due to incomplete patch for vulnerability #VU25823.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

PyYAML: 5.1 - 5.3.1

External links
http://bugzilla.redhat.com/show_bug.cgi?id=1860466

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Juniper Networks Junos cRPD
Multiple vulnerabilities in Juniper Cloud Native Router
Input validation error in IBM Cloud Pak for Data System
Gentoo update for PyYAML
Multiple vulnerabilities in IBM Cloud Pak for Network Automation
Multiple vulnerabilities in PeopleSoft Enterprise PeopleTools
Multiple vulnerabilities in Dell PowerStore Family
SUSE update for python-PyYAML
SUSE update for python-PyYAML
Multiple vulnerabilities in Oracle Communications Cloud Native Core Network Function Cloud Native Environment